What is a DMARC forensic report (RUF)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
A DMARC forensic report is a single-message failure notification that's sent when a message fails DMARC checks. Unlike aggregate reports, which come once a day and summarize authentication across all your sending, forensic reports trigger per event and arrive close to real-time.
The report format is derived from ARF (Abuse Reporting Format), originally designed for spam complaints. A forensic report contains:
- The original message headers (or a subset of them)
- Authentication results (SPF, DKIM, DMARC outcome)
- Source IP and envelope from information
- Sometimes a redacted or full version of the message body
The idea is to give you enough detail to diagnose exactly why a message failed. If you're seeing mysterious DMARC failures and you want to look at an actual failing message, forensic reports are the tool.
The practical problem with forensic reports today: Gmail stopped sending them. Yahoo reduced them. Most major providers have curtailed forensic reporting because of privacy concerns: these reports can contain personal information from real email messages, and the risk of exposing that data outweighs the debugging benefit in most cases. If you configure ruf=, you'll still receive forensic reports from some providers and corporate mail infrastructure, but the major consumer providers are largely no longer participating.
For ongoing authentication monitoring, aggregate reports (RUA) are what most senders rely on. Forensic reports are more useful for active incident response when you know something is breaking and want to see samples.
To receive forensic reports, add ruf=mailto:your-address@domain.com to your DMARC record. You can also set fo= to control which types of failures trigger a report.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.